Blog | The FDA Group

QMSR Inspections: What FDA Is Citing First, and How to Prepare

Written by The FDA Group | June 18, 2026

The FDA's Quality Management System Regulation took effect on February 2, 2026, replacing the Quality System Regulation and incorporating ISO 13485:2016 into 21 CFR Part 820. On the same day, the agency retired the Quality System Inspection Technique it had used for decades and moved to a new process under Compliance Program 7382.850.

A few months in, the first data from QMSR inspections have arrived, and FDA officials have described it at several industry conferences. The headline is straightforward: the categories being cited are familiar, but the way an inspection reaches them has changed.

This guide covers what QMSR inspections are citing so far, how the new inspection model works, and the specific actions device manufacturers should take now to prepare.

What QMSR Inspections Are Citing So Far

At the FDA Law Institute's annual conference in May, Keisha Thomas, associate director in CDRH's Office of Product Evaluation and Quality, said the agency had completed just over 100 QMSR inspections.

For Form 483 observations issued between February and mid-April, she ranked the top areas as risk management, outsourcing and purchasing, complaint handling and feedback, UDI, and corrective action. Her summary of the central change was blunt:

"Risk, risk, risk, risk."

The order is not settled. At MedCon in late April, officials put risk management first, followed by outsourcing and purchasing. Speaking about four months in at the RAPS Quality Conference, Thomas listed risk management, corrective action, risk-based approach, complaint handling, and purchasing, and noted that the agency is largely seeing the same citations it saw before QMSR, only reordered.

That caveat is worth holding onto. The problems are not new. What changed is how QMSR inspections find them.

How QMSR Inspections Work Now

Under QSIT, investigators worked through four subsystems, each more or less in isolation. Under CP 7382.850, the inspection is organized around six QMS areas and built to follow product risk across the lifecycle.

The investigator identifies the risks a device could pose, then uses the company's own risk documentation to navigate the rest of the system. Risk management is no longer one file among many. It is the path the inspection takes.

Two structural changes deserve attention before you prepare:

  • QMSR removed the protection that previously kept internal audit reports, supplier audit results, and management review records out of the FDA's reach during an inspection. Those records are now open to review. A clean internal audit history is no longer automatically reassuring, since an absence of findings can mean the audits are not looking hard enough.
  • The old CAPA subsystem has been split. Corrective action, data analysis, and preventive action are now evaluated as separate areas, which matters when you read the citation rankings, as explained below.

We're recommending teams reorganize their QMS documentation and inspection-prep mental model around the six QMS areas in CP 7382.850, not the legacy QSIT subparts. Observations now reference ISO 13485 clause language.

Also, review your internal audit program against the assumption that the FDA can read the results. Make reports factual and specific, and make sure your audits are designed to find real issues.

📄  Read the FDA's own QMSR town hall transcript so your team understands how investigators are being told to inspect.

What follows is where the early findings are clustering, what investigators are looking for in each area, and what to do about it.

Risk Management

QMSR inspections treat risk management as a living system rather than a design deliverable. Thomas said firms are being cited for a lack of process and evidence showing that risk is rooted in their decisions, and stressed that risk management must keep evolving after launch.

Many companies still manage the risk file as something built during design and revisited only when a formal change forces it. On paper the file looks complete. What it often cannot show is how postmarket information flows back into it.

A few action items:

  • Confirm each risk file references current postmarket inputs: complaints, nonconformances, service data, field failures, and CAPA outcomes.
  • Add a documented trigger that requires a risk review when a complaint, deviation, or supplier issue reveals a new hazard or a changed frequency.
  • Verify that risk control effectiveness is checked in practice, not just defined on paper, and keep the evidence.
  • For one marketed product, be ready to show how a recent postmarket signal was assessed against the risk file and what changed as a result.

Supplier and Outsourcing Controls

QMSR inspections sharpen the supplier question from "was this supplier approved" to "is the level of control proportionate to the risk this supplier carries." The weakness investigators find is rarely an empty supplier file.

It's a generic one, where a low-risk packaging vendor and a critical contract sterilizer are governed by the same template and the same thin quality agreement.

A few action items:

  • Map every supplier and outsourced process to a risk tier, and confirm that qualification, monitoring, quality agreement depth, and change-notification requirements scale with the tier.
  • Replace one-size-fits-all supplier templates with something custom to each one. Strengthen your quality agreement language for critical suppliers and outsourced processes.
  • Tie incoming acceptance sampling and release criteria to product risk, and document the rationale.
  • Confirm that supplier change notifications trigger a documented downstream impact assessment.

Complaints and Feedback

Complaint handling is a recurring area of concern in QMSR inspections and our own audit work for device firms, and it usually fails at handoffs rather than in the procedure itself.

Intake comes in too thin to support an investigation. Classification rules are loose. Closed complaints never flow back into the rest of the system.

A few action items:

  • Make key intake fields required: device identifier, a clear event description, patient or user impact, and a specific failure mode.
  • Sharpen classification and escalation rules so the line between complaint, feedback, service issue, and reportable event is unambiguous.
  • Confirm and be able to demonstrate that closed complaints feed risk management, CAPA, trending, and MDR decision-making.

UDI

UDI reads like a labeling or registration task, but QMSR inspections are exposing it as a data-control problem. Investigators are instructed in the new inspection manual to confirm that the data in AccessGUDID matches the labeling and the device, and they review GUDID before they arrive on site.

Failures cluster around GUDID entries that do not match the label, direct-mark and labeled identifiers drifting apart across packaging revisions, and identifiers not updated when a model or kit configuration changes.

A few action items:

  • Reconcile the device identifier across four places: the label, your internal systems, GUDID, and the configuration actually on the market. Fix any mismatch!
  • Add change-control steps that update UDI and GUDID whenever a model, packaging, or kit configuration changes.
  • Build a periodic GUDID-to-label validation check that catches drift in identifiers and expiration encoding before an investigator does.

Corrective Action (and a Ranking That Misleads)

CAPA has been a top device finding for years, and QMSR does not change the basic expectation: find the cause, act, verify effectiveness, prevent recurrence. What changes is the standard of adequacy. A CAPA that stops at the manufacturing symptom is harder to defend when the evidence points to a design, supplier, validation, or risk-control cause.

Do not read corrective action's middle-of-the-pack ranking as good news! Because CP 7382.850 splits the old CAPA subsystem into separate areas, the apparent decline in corrective-action citations is partly an accounting effect that can hide exposure across data analysis and preventive action.

The work did not get easier here. It just sort of got distributed.

A few action items:

  • Scale root cause depth to the severity and recurrence of the issue, and review related data sources before closing.
  • Separate containment from corrective action in the record, and label each clearly.
  • Assess whether the issue affects other products, processes, suppliers, or sites.
  • Stand up data analysis and preventive action as their own processes, each with an owner, inputs, outputs, and a review cadence.

A QMSR Inspection Readiness Exercise That Beats a Checklist

A procedure-by-procedure gap assessment will not reveal how QMSR inspections actually probe a quality system. Tracing a single product through the system will.

Pick one marketed device, ideally one with real complaint history, supplier complexity, or recent changes, and follow the thread:

  • Can you produce the current risk file and explain how it is kept current?
  • Can you point to postmarket data that has actually been evaluated against it?
  • Are supplier controls visibly scaled to the risk of each purchased product or outsourced process?
  • Are complaints consistently captured, classified, investigated, trended, and escalated, with the results feeding risk and CAPA?
  • Does UDI reconcile across the label, your systems, GUDID, and the current marketed configuration?
  • Do your CAPAs reach the real cause rather than the visible symptom?

Wherever that trace breaks is where an investigator working from the risk file is most likely to start. Run the exercise on two or three products that represent your range, and you will have a realistic preview of your next QMSR inspection.

Preparing for QMSR inspections with The FDA Group

The early data confirms what the rule signaled: QMSR inspections evaluate whether risk connects your quality system, not whether each system can stand on its own. The organizations that hold up best are the ones that can show risk being identified, controlled, monitored, and updated across the product lifecycle.

The FDA Group supports medical device manufacturers through QMSR inspection readiness, mock FDA inspections, gap assessments, and remediation, drawing on former FDA investigators and senior quality consultants who know how the new inspection model works in practice.

If you want an outside read on how your quality system would hold up under a QMSR inspection, learn more about our services and contact us to talk through a readiness assessment.

Submit the form below to express your interest and get the conversation started. 
View full post